About Sap Hana backup user
Specific users are very important for a hana database system. The sap hana administrator cannot deal with all existing task requirements. That is why specialised tasks such as backup are assigned to a particular team.
A technical backup user is created in the sap hana environment. Specific backup privileges will give the user the right to perform full system backup as well as tenant database backup.
For all hana technical users, connexion have to be protected with a controled password policy and with the hana "user stored key" feature.
How to create sap hana backup users?
There are different ways to create a sap hana BACKUP user. The tool interface hana studio is one way to do it. The best way to create a BACKUP user is using the SQL syntax. With SQL script the BACKUP user can be created on several databases using the same syntax.
CREATE USER MY_BACKUP_USER PASSWORD BackupOnly01 NO FORCE_FIRST_PASSWORD_CHANGE;
Which privileges to assign to sap hana backup user?
A basic Sap hana backup user have to have the following privileges: BACKUP ADMIN and CATALOG READ.
In order to add monitoring capability the following right is needed : MONITORING.
The monitoring privilege allows checking up all the backup status.
Assign privileges to a specific role then assign the role to the backup user.
Backup and monitoring privileges
CREATE ROLE MY_BACKUP_ROLE;
GRANT BACKUP ADMIN, CATALOG READ, MONITORING TO MY_BACKUP_ROLE;
GRANT MY_BACKUP_ROLE TO MY_BACKUP_USER;
How to use SQL script to create a technical sap hana backup user?
Creating a technical sap hana user via an interface such as hana studio is not the best way to go forward. It is difficult to maintain user default privileges that way. Using SQL script or stored procedure will keep user name and privileges under control.
Here is a simple SQL script to create a technical user :
DECLARE LV_USERTYPE varchar(20) := 'TECH_USER';
DECLARE LV_USERNAME varchar(20) := 'BACKUP';
DECLARE LV_USERPREFIX varchar(20) := 'AT';
DECLARE LV_USERSUFFIX varchar(20) := 'TMP';
DECLARE LV_TENANTDBNAME varchar(20) := 'HR01';
DECLARE LV_PROJECTNAME varchar(200);
DECLARE LV_SUFFIX_USERPASS varchar(20);
DECLARE LV_ROLENAME varchar(200);
DECLARE LV_USERFULLNAME varchar(200);
DECLARE LV_USERPASS varchar(200);
DECLARE LV_SQLCREATEUSER varchar(200);
DECLARE LV_SQLCREATEROLE varchar(200);
DECLARE LV_SQLGRANT varchar(200);
LV_ROLENAME := LV_USERPREFIX||'_'||LV_USERTYPE||'_ROLE';
LV_USERFULLNAME := LV_USERPREFIX||'_'||LV_USERTYPE||'_'||LV_USERNAME||'_'||LV_USERSUFFIX;
LV_USERPASS := LV_USERTYPE||LV_TENANTDBNAME||'u01';
LV_SQLCREATEUSER := 'CREATE USER '||LV_USERFULLNAME||' PASSWORD BACKUPOpenBDD01 NO FORCE_FIRST_PASSWORD_CHANGE';
-- command result : CREATE USER AT_TECH_USER_BACKUP_TMP PASSWORD BACKUPOpenBDD01 NO FORCE_FIRST_PASSWORD_CHANGE
LV_SQLGRANT := 'GRANT AT_BACKUP_ROLE TO '||LV_USERFULLNAME;
-- command result : GRANT AT_BACKUP_ROLE TO AT_TECH_USER_BACKUP_TMP
How to protect sap hana backup user access?
The technical user connexion such as a backup user, has to be protected through a password policy and also using the user stored key.
The user stored key is easy to put in place where as the password policy requieres a company user and password management task.
It your company does not have a password security strategy in place, password security may be a probleme with time, as passord cannot be modified so easily without generating connexion issues such as batch processing.
You may end up with backup procedure connexion errors in the first place.
A list of different sap hana technical users
How to create sap hana MODELER users?
Technical user which will deal with data architecture.
How to create sap hana ABAP DEVELOPER users?
Technical user which will perform abap development on the sap hana system databases.
How to create sap hana ADMINISTRATOR users?
Technical user to replace SYSTEM which will perform all current sap hana administration tasks.
How to create sap hana COCKPIT users?
Technical user which will be able to connect to the database system via the hana cockpit web interface.